Access controller using tree-structured data

ABSTRACT

Provide access control devices methods and systems that include a data structure which makes the data amount of a database constituting policies as small as possible even if a policy including a number of complicated conditions is set. An access control device of the present invention receives inputs of policies each for controlling access to a part of a data source, and stores these policies. The access control device generates tree-structured data from the stored policies, merges these tree-structured data, and stores the merged tree-structured data. When determining whether or not access should be permitted, the access control device performs determination on the basis of this stored tree-structured data.

FIELD OF THE INVENTION

The present invention relates to an access controller usingtree-structured data. More specifically, the present invention relatesto performing control when a user accesses data stored in a databaseserver.

BACKGROUND OF THE INVENTION

In order to acquire data to be processed, it has heretofore beenconducted to access a database server which stores the data. In thisaccess, the user uses a computer terminal, which is a client, to acquirethe data by accessing the database server via a Local Area Network (LAN)and/or the Internet. The data stored is described in extensible MarkupLanguage (XML) or Hyper Text Markup Language (HTML). Particularly, adocument described in XML is referred to as an XML document. The XMLdocument is known as a structured document which can be structuredaccording to the intention of an information provider. Such XMLdocuments are widely used from a large scale database such as a genomeinformation database to a small scale database such as medical records.

Here, there is a case where an administrator of the database performssettings on the XML documents in which, when a user accesses thedatabase, the access is denied depending on the user. For example, anadministrator of a medical records database in a hospital needs toperform control so that a patient cannot access the medical records dataof his/her own.

Specifically, for example, a method is known in which access control isperformed by the use of a rule referred to as a policy. For example, thepolicy is determined on the basis of names, job titles, sections and thelike of users.

Then, by the use of the policy, access control is performed for eachfile or each folder as the Windows (registered trademark) file systemadopts. With this, it can be prevented that a user or a group of userswith no permission access the relevant file or folder.

However, there is a case where the control is demanded in which, for auser, the access to a part of a file is permitted, and the access to theremaining part of the file is denied.

For example, assume that medical records are created as one XML documentand stored in a database. In this case, it is preferred that doctors canaccess the whole medical records information, but interns can accessonly the diagnostic information of patients. However, with the accesscontrol method described above, the policy can only be set for eachfile. Accordingly, it is impossible to perform access control withrespect to a part of the XML document.

As a method for solving such a problem, a control device enabling accesswith respect to each internal structural unit of an XML document isknown (Japanese Patent Laid-Open No. 2001-273285, hereinafter referredto as Patent Document 1). In Patent Document 1, an access control devicewhich control access with respect to each internal structural unit of adocument by incorporating policies into an XML document is shown. TheXML document of Patent Document 1 includes records which are data of adatabase, and policies each of which is set for each of the records.When a user accesses a part of the XML document, the access controldevice controls the access by reading the incorporated policies.

However, this access control device is not suitable when the number ofrecords of the database is large. This is because when the number ofrecords of a database increases, the number of policies to control theaccess to the records also increases, and thus the XML document becomesvery large.

For example, as for genome information, in some cases, the data size ofrecords of an XML document becomes one gigabyte or more. In addition, alarge number of users of enterprises, academic societies and the likeaccess the XML document. Accordingly, it is necessary to set the policyfor each of the large number of users who access the XML document, andthe data amount of the policies becomes enormous. Therefore, both of thedata amount of the records and the data amount of the policies becomeenormous, and the file of the XML document becomes very large.

Under the circumstances, a method of separating policies from an XMLdocument and making the policies into a database is known (Naishin Seki,Michiharu Kudo, “Access Control Using Pathtables for XML Database”,Computer Security Group, Information Processing Society, Nov. 14, 2003;hereinafter referred to as Non-Patent Document 1). In Non-PatentDocument 1, there is disclosed a method of constructing the policies asa table database. The table database is composed of path expressions fordesignating specific parts of an XML document, and conditionsrespectively corresponding to the path expressions. The condition is onewhich is used to determine whether or not the access from a user to thepart designated by a path expression should be permitted. When a userperforms access, the access control device calculates a path expressionfor this access request. Then, the access control device reads out acondition corresponding to the path expression from a table. If the usermeets the read-out condition, the access control device permits theaccess to the part of the XML document which is designated by the pathexpression.

Incidentally, there is a case where a policy is composed of a largenumber of complicated conditions. The complicated condition means, inaddition to a condition formed by combining AND conditions or ORconditions, a below-described condition which is used to perform adetermination by the use of a data value read out from a database.

A policy including a condition which is used to perform a determinationby the use of a data value is used for medical records, for example.Specifically, provided that such a policy that the access from a patienthimself/herself is denied if the “malignancy degree” of a disease of thepatient is 40% or more is set in an access control device, for example,when the patient himself/herself accesses the data of the medicalrecords, the access control device retrieves the data value in which the“malignancy degree” data of the patient is recorded, and reads out thedata value to determine the “malignancy degree” of the patienthimself/herself. By the use of the read-out data value, it is determinedwhether the malignancy degree is 40% or more or is less than 40%. Theaccess is denied when the malignancy degree is 40% or more, and theaccess is permitted when the malignancy degree is less than 40%.

In the above described table database, it is necessary to store thewhole table into a storing device such as a memory of the access controldevice. However, in the table database, since a large number of datavalues are read from the data source file of the data values for thepolicy which includes a condition using a data value, the data amount ofthe table increases.

In this way, in the table database, when a policy which includes acondition using a data value is set for the database, it is difficult touse the hardware resources efficiently. Accordingly, the data structurein which the data amount of the database constituting a policy becomesminimum even when the policy including such a large number ofcomplicated conditions is set, has long been awaited.

SUMMARY OF THE INVENTION

Therefore, the present invention provides methods, systems and apparatusfor controlling access to a data source, An example device comprises:policy storing means for storing a plurality of policies, each forcontrolling access to a part of the data source, when these policies areinputted; access-determination-tree generating means for generating aplurality of tree-structured data from the plurality of policies;access-determination-tree merging means for merging the plurality oftree-structured data; access-determination-tree storing means forstoring the merged tree-structured data; and access determining meansfor, when access to a part of the data source is attempted, determiningfrom the merged tree-structured data whether or not the access to thepart should be permitted.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention and theadvantages thereof, reference is now made to the following descriptiontaken in conjunction with the accompanying drawings, in which:

FIG. 1 shows a hardware configuration of an access control system of thepresent invention;

FIG. 2 shows a hardware configuration of a user terminal;

FIG. 3 shows a hardware configuration of an access control device;

FIG. 4 is a flowchart showing an operation performed by respective meansof the access control device;

FIG. 5 shows an example of performing access determination by the use ofan access determination tree;

FIG. 6 shows an example of generating an access determination tree forSubject;

FIG. 7 is a flowchart for generating an access determination tree forSubject;

FIG. 8 shows an example of generating an access determination tree forObject;

FIG. 9 is a flowchart for generating an access determination tree forObject;

FIG. 10 shows an example of an access determination tree given when “//”is included in Object;

FIG. 11 is a flowchart for generating an access determination tree when“//” is included in Object;

FIG. 12 shows a sequence of generating an access determination tree;

FIG. 13 is a flowchart showing a process sequence of accessdetermination;

FIG. 14 illustrates access determination when “//” is included inObject;

FIG. 15 is a flowchart showing a process performed when there is anaccess to a part the access to which is controlled by the use of a datavalue;

FIG. 16 shows the generation of access determination trees fromconditions and the merging thereof;

FIG. 17 is a flowchart showing a process of access determining meansperformed in the case where a data value is read out;

FIG. 18 shows access determination tree generated from accessdetermination trees not using a data value and an access determinationtree using a data value, and an XML document used; and

FIG. 19 is a flowchart showing a process procedure of merging accessdetermination trees.

DETAILED DESCRIPTION OF THE INVENTION

The present invention provides methods, systems and apparatus forcontrolling access to a data source, An example device comprises: policystoring means for storing a plurality of policies, each for controllingaccess to a part of the data source, when these policies are inputted;access-determination-tree generating means for generating a plurality oftree-structured data from the plurality of policies;access-determination-tree merging means for merging the plurality oftree-structured data; access-determination-tree storing means forstoring the merged tree-structured data; and access determining meansfor, when access to a part of the data source is attempted, determiningfrom the merged tree-structured data whether or not the access to thepart should be permitted.

According to the present invention, the access control device stores aplurality of policies, each for controlling access to a part of the datasource, when these policies are inputted, and generates a plurality oftree-structured data from these stored policies. Then, the accesscontrol device merges the plurality of tree-structured data thusgenerated, and, when access to a part of the data source is attempted,determines from the merged tree-structured data whether or not theaccess to the part should be permitted.

Here, for a policy composed of a plurality of conditions, atree-structured data is constructed of nodes corresponding to theconditions, and links associating these nodes. Specifically, for allinputted policies, access-determination-tree generating means extractsconditions which are common to the policies or some of the policies,makes these common conditions upper-level nodes, and makes conditionswhich are not common lower-level nodes. The access-determination-treegenerating means merges the common upper-level nodes. Thus, thetree-structured data is made in which the conditions represented by theupper-level nodes are shared and only the conditions represented by thelower-level nodes are different. By arranging conditions common to aplurality of policies or some of the policies at upper-level nodes, itis possible to reduce the data amount in a database for the policies andthus to efficiently use hardware resources.

For a policy composed of a plurality of conditions, a tree-structureddata according to the present invention includes nodes corresponding tothe conditions, and links associating these nodes. Specifically, for allinputted policies, access-determination-tree generating means extractsconditions which are common to the policies or some of the policies,makes these common conditions upper-level nodes, and makes conditionswhich are not common lower-level nodes. The access-determination-treegenerating means merges the common upper-level nodes. Thus, thetree-structured data is made in which the conditions represented by theupper-level nodes are shared and only the conditions represented by thelower-level nodes are different. By arranging conditions common to aplurality of policies or some of the policies at upper-level nodes, itis possible to reduce the data amount in a database for the policies andthus to efficiently use hardware resources.

A description will be given below of a advantageous embodiment of thepresent invention with reference to the drawings. As shown in FIG. 1, anaccess control system 1 includes a plurality of user terminals 20, anaccess control device 10 connected to the user terminals 20 via acommunication line network 30, a data source server 32 connected to theaccess control device 10 also via the communication line network 30, anddata source storing means 31 directly connected to the access controldevice 10.

As shown in FIG. 2, the user terminal 20 includes display means 21 suchas a CRT display and a liquid crystal display, input means 22 such as akeyboard, a ten-key pad and a mouse, storing means 23 such as a harddisk and a memory, control means 24 such as a CPU, and communicationmeans 25 such as a network card connected to the communication linenetwork 30. The user terminal 20 has a client function which enables auser to access data, which is a data source, via the communication linenetwork 30. When a user accesses a part of the data source, the userterminal 20 transmits an access request to perform actions such asreading out, writing and updating on the part of the data source. Here,the user terminal 20 maybe either a computer terminal or a personaldigital assistant.

The communication line network 30 is a network to connect the accesscontrol device 10 and the user terminals 20. The communication linenetwork 30 may be either a Local Area Network (LAN) or the Internet.

The data source server 32 is a computer and a database server storing adata source such as an XML document the access to which is controlled.While the data source server 32 is connected to the access controldevice 10 via the communication line network 30, the data source server32 may be directly connected to the access control device 10. The datasource may be an XML document and the like stored as a file. The part ofthe data source is a partial region of the data source such as an XMLdocument. For example, the region is one which is enclosed by tags inthe XML document.

The data source storing means 31 is a device in which the data sourcesuch as an XML document is stored. For example, the data source storingmeans 31 may be storing means such as a hard disk. Moreover, the datasource storing means 31 may be installed either outside the accesscontrol device 10 as shown in FIG. 1, or inside the access controldevice 10.

As shown in FIG. 3, the access control device 10 includes communicationmeans 11, policy storing means 16, access-determination-tree generatingmeans 12, access-determination-tree merging means 14,access-determination-tree storing means 17, access determining means 13,and consistency verification means 15.

The communication means 11 is connected to the communication network 30and communicates with the user terminals 20 and the data source server32. The policy storing means 16 is a storing device which storespolicies inputted from the user terminals 20 via the communication linenetwork 30. The access-determination-tree generating means 12 generatesa tree-structured data by the use of the stored policies. Thetree-structured data is generated by making a condition of the policy anode, and making a value corresponding to the node a link. For thevalue, for example, attributes of a user (user name, group name, andpath value of the part to be accessed), values read out from the datasource (hereinafter referred to as “data value”) are used.

The access-determination-tree generating means 12 separates a pluralityof conditions and values from a policy, generates a plurality of nodesand links from the respective conditions and values separated, andconnects between the nodes using links. The access-determination-treegenerating means 12 similarly generates a tree-structured data for thenext policy. In this case, while the access-determination-treegenerating means 12 may generate a tree-structured data independently ofthe previously generated tree-structured data, theaccess-determination-tree generating means 12 may generate atree-structured data by using an upper node of the previously generatedtree-structured data to newly form a link from the node as describedlater using FIG. 12.

The access-determination-tree generating means 12 generates a firstaccess determination tree and a second access determination tree. Thefirst access determination tree is a tree-structured data which consistsof conditions not including a condition (hereinafter referred to as“condition using a data value) which, by reading out a value from thedata source, determines whether or not access should be permitted. Forexample, the first access determination tree is generated by the use ofa policy which does not include a condition using a data value at all.Additionally, also in the case of the policy including a condition usinga data value, the first access determination tree is generated from,among conditions included in the policy, conditions not including acondition using a data value. The second access determination tree is atree-structured data which consists only of conditions using a datavalue by reading out the data value. The second access determinationtree may be generated from conditions of predicate expressions describedlater.

The access-determination-tree merging means 14 merges the parts of theplurality of tree-structured data thus generated where the nodes and thelinks are common to the tree-structured data. Theaccess-determination-tree storing means 17 stores the mergedtree-structured data.

When receiving an access request from the user terminal 20, the accessdetermining means 13 performs determination whether or not the requestedaccess to a part of the data source should be permitted from the storedtree-structured data. The determination whether or not access should bepermitted is to determine in response to the access request whether auser attempting an access can perform actions of the access request.

The access determination means 13 determines whether a condition forcontrolling the access to a part of the data source is a condition whichneeds to read out a data value from the data source or the another datasource in the determination. Specifically, the access determinationmeans 13 determines, from the access request of the user, whether or notit is an access to the part of the data source the access to which iscontrolled by the use of a condition which needs to read out a datavalue (hereinafter referred to as “access to the part which iscontrolled by the use of a condition using a data value”). In the caseof the access to the part the access to which is controlled by the useof a condition using a data value, the access determining means 13 readsout a data value, and determines whether the access should be permittedfrom the read-out data value.

A description will be given of the specific operation performed by eachmeans of the access control device 10 with reference to the flowchart ofFIG. 4. An administrator inputs policies which are to be criteria forthe access determination (Step S01). The input of the administrator isperformed on the user terminal 20. When the access control device 10includes display means and input means, the policies are inputted fromthe access control device 10 via the input means. The inputted policiesare stored in the policy storing means 16.

Next, the access-determination-tree generating means 12 generates thefirst access determination tree (Step S02). The first accessdetermination tree is stored in the access-determination-tree storingmeans 17. Also as for the remaining inputted policies, theaccess-determination-tree generating means 12 generates the first accessdetermination tree. The plurality of first access determination treesthus generated are merged by the access-determination-tree merging means14 (Step S03).

Next, the access determining means 13 waits an access request from theuser terminals 20 to the data source stored in the data source storingmeans 31 or the data source server 32 (Step S04). When receiving anaccess request, the access determining means 13 performs accessdetermination from the first access determination tree (Step S05).

Then, during performing the access determination, the access determiningmeans 13 determines whether the access request is a request to accessthe part the access to which is controlled by the use of a conditionusing a data value (Step S06).

When it is not the access to the part the access to which is controlledby the use of a condition using a data value, the access determiningmeans 13 determines whether or not the access determination is finished(Step S15). When determining that the access determination is notfinished, the access determining means 13 further performs determinationwhether or not access should be permitted from the first accessdetermination tree (Step S05). When the access determining means 13determines that the access determination is finished, the consistencyverification means 15 verifies the consistency of the determined access(Step S12).

When the access attempted by a user is the access to the part the accessto which is controlled by the use of a condition using a data value, theaccess-determination-tree generating means 12 generates the secondaccess determination tree (Step S07). The second access determinationtree is a tree-structured data generated from conditions using a datavalue. The second access determination tree is stored in theaccess-determination-tree storing means 17.

To determine the access with respect to the second access determinationtree, it is necessary to read out a data value to be an index of thedetermination. The access determination means 13 reads out the datavalue from the data source (Step S08). The access determination means 13performs determination from the second access determination tree by theuse of the read-out data value (Step S09). The access determinationmeans 13 performs determination whether the access determination isfinished (Step S10). If the access determination is not finished, theaccess determination means 13 further performs access determination(back to Step S05).

If the access determination is finished, the access determination means13 verifies the consistency of the determined access (Step S12). Then,the access determination means 13 outputs the verified determinationresult (Step S13). By the use of the result, the user terminal 20performs the access to a part of the data source stored in the datasource storing means 31 or the data source server 32.

A description will be given of how the access control device 10 performsdetermination via each means when specific policies are inputted.Specifically, a description will be given of the case where the policiesbelow are inputted and the access control device 10 performs accessdetermination.

Assume that a policy, “Alice can see personnel information, but cannotsee confidential information; Bob cannot see either personnelinformation or confidential information,” is inputted. To simplify thispolicy, the access control policy, which is described in a pathexpression language shown in Table 1 below, is used. For a part of thepath expression language of Table 1, XML Path Language (XPath) can beused. TABLE 1 Name Explanation Example Subject-Type group, user ID,function UserID Subject identifier of accessing user Alice Object pathexpression to designate a /site/people position of the accessed documentAccess-mode +: access possible/−: access impossible −R, +r R: readingout, W: writing, U: updating, D: deletion If the alphabet is uppercase,all of the following nodes can be accessed. If the alphabet islowercase, the relevant node only can be accessed.

A description will be given of the path expression language.Subject-Type determines what kind Subject is. For example, it ispossible to employ UserID as Subject-Type and to employ UserName asSubject. In addition, it is possible to employ Group as Subject-Type andto employ GroupName as Subject. Incidentally, Object is an object towhich the access control is performed, designating the position or thepart of the data source to which a user actually performs access. Eachelement of the path expression specified by Object is defined as a pathvalue. Access-mode is a content of the determination, which is effectivewhen the conditions of Subject and Object are satisfied. The content ofthe determination may be, for example, a content of “access permitted”or “access denied”, or a content of “access possible” or “access denied”to read out. In this embodiment, described is the determinationperformed when a user attempts to read the document. However, thepresent invention can be similarly applied to the determination whetheror not the access of a user to perform writing should be permitted, thedetermination whether or not the access of a user to perform updatingshould be permitted, and the determination whether or not the access ofa user to perform deletion should be permitted.

+R of Access-mode means that all of the nodes not higher in thehierarchy than the part designated by Object can be accessed. On theother hand, +r means that only the node of the relevant hierarchicallevel can be accessed. When +R is adopted for Access-mode, an upper nodecan determine all of the Access-modes of the lower nodes.

Moreover, Access-mode may not necessarily be an end result ofdetermination. For example, in the case of a condition in which it isdetermined by the use of a data value of the data source whether or notaccess should be permitted, Access-mode may be a condition expressionwhich should be satisfied by a data value. Such a condition expressionis defined as a predicate expression. The predicate expression will bedescribed later using FIG. 8.

An access control policy is composed of a rule or a plurality of rules.For example, one rule is expressed as follows.<Subject-Type, Subject, Object, Access-mode>  (1)

The above described policy for Alice and Bob will be described as theexpression (2) below when the access control policy is used. Here, it isassumed that personnel information is located where the path,/site/people, designates in the XML document, and similarly,confidential information is located where /site/secret designates. Inthe expression (2), three rules are described in the access controlpolicy.<USERID, Alice, /site/people, +R><USERID, Alice, /site/secret, −R><USERID, Bob, /site, −R>  (2)

An access determination tree 100 of FIG. 5 is generated by the use ofthis access control policy. As shown in FIG. 5, the access determinationtree 100 is constructed of nodes and one or more of links under thenode. The link is a path which connects between the nodes. There may bethree or more of links from one node. An attribute to performdetermination whether or not access should be permitted is set to eachnode.

The attribute is a determination index used in moving from one node tothe next node. The attributes are Subject-Type and path, for example.Specifically, in the access determination tree 100, since Subject-Typeis UserID, UserID is the attribute. In the next node, each path ofObject is the attribute.

A link is generated from each element of the path expressioncorresponding to each attribute. Then, a new node is generated at thepoint linked to, and an attribute is assigned to the node.

When there is an access from a user, determination is performed bycomparing each path expression element calculated from this accessrequest and each attribute. A description will be given of a case, forexample, where Alice attempts to access “/site/people,” and the accessdetermining means 13 performs determination by the use of the accessdetermination tree 100. First, the access determining means 13 receivesthe access request, and separates elements of the path expression of theaccess request. In the case of FIG. 5, since the attributes are UserID,path1, and path2, the access determining means 13 determines thatelements of the path expression corresponding to the attributes are“Alice,” “site,” and “people.” By comparing these elements andattributes, the access determining means 13 performs determination andfollows the links of the access determination tree 100. In the end node,since Access-mode is set as “permitted,” this access will be permitted.

In addition, assume that Alice has requested access to“/site/people/emailaddress.” The “/site/people/emailaddress” is a lowernode of “/site/people” in the hierarchical structure. Since Alice cansee all personnel information (+R) for “/site/people,” Alice will bepermitted to see information for “/site/people/emailaddress” which is alower node thereof. In this way, by means of Access-mode of the end nodeof the tree-structured data, the access determination of a lower nodecan be determined by the upper node.

Next, a method of generating an access determination tree from theaccess control policy will be described in detail. Here, as an example,a description will be given of a case where theaccess-determination-tree generating means 12 generates an accessdetermination tree for Subject, and then generates an accessdetermination tree for Object. However, the order in which the accessdetermination trees of Subject and Object are generated may bearbitrary.

In FIG. 6, an access determination tree 200 for Subject-Type and Subjectare shown. Here, the access-determination-tree generating means 12generates the access determination tree of the rule shown in theexpression (3). UserID selected as Subject-Type is the attribute todetermine which node should be selected when a link is made from a nodeto the next node. For this attribute, the nodes linked to are generatedby “Alice” and “Bob” as elements by which the tree structure isbranched.<USERID, Alice, . . . ><USERID, Bob, . . . >  (3)

A method of generating an access determination tree for Subject is shownas a flowchart in FIG. 7. The access-determination-tree generating means12 generates a root node to be the root of the tree structure (StepS20). The access-determination-tree generating means 12 assignsSubject-Type to this root node, selects Subject-Type from such accesscontrol policy as is shown in the expression (3), and makes it theattribute of the root node (Step S21). Moreover, theaccess-determination-tree generating means 12 selects one Subject(Alice, for example) from the access control policy, makes it a valuefor a link, and generates a new node at the point linked to (Step S22).If the access control policy is composed of a plurality of rules asshown in the expression (3), and if Subject-Type is identical (StepS23), next Subject (Bob in the case of the expression (3)) is selected,and the access-determination-tree generating means 12 generates a linkand a new node. Here, the link of Bob is generated in such a manner thatthe link is connected from the node of UserID which is set as the rootnode in the rule of Alice. Moreover, the access-determination-treegenerating means 12 generates a link to the access determination tree ofObject for each generated node (Step S24).

Instead of generating the link of Bob by connecting in such a way, it isalso possible that, for example, after a root node of UserID, a link ofBob, and a node linked to are newly generated for the rules of Bob, theaccess-determination-tree merging means 14 merges it with the accessdetermination tree generated from the rules of Alice.

Next, an access determination tree for Object is generated from theaccess control policy. FIG. 8 shows an access determination tree 210 forObject. In FIG. 8, only an Object part of the rules represented by theexpressions (4) and (5) is shown. In the expression (4), the Object partis “/a/b,” and in the expression (5), it is “/a/c[@x>100].”Particularly, “[@x>100]” in the Object part of the expression (5) is apredicate expression.<USERID, Alice, /a/b, +R>  (4)<USERID, Bob, /a/c[@x>100], +R>  (5)

A predicate expression is a determination expression used when a datavalue is read out from a data source and the access control is performedon the basis of the data value. When the condition of this predicateexpression is satisfied, the determination content of Access-mode set tothis node is employed. Specifically, the predicate expression of theexpression (5) means that the access determining means 13 reads out adata value corresponding to the condition variable x from the datasource, and if the data value is larger than 100, the access ispermitted. The mark “@” in the predicate expression is a mark whichindicates the border between the predicate expression and the element ofObject. Another mark may also be used.

In addition, the predicate expression is an arithmetic expression forcomparing the data value read out from an XML document and the variablein the predicate expression. Two or more conditions may be combined bythe use of AND and/or OR in a predicate expression. For example, it ispossible to employ a determination expression, such as “a/b/[@x>100] AND/a/b/[@c=“abc”],” for example, in which the determination whether or notaccess should be permitted is performed by comparing data values andcondition values of x and c.

In FIG. 9, a method of generating an access determination tree forObject is shown as a flowchart. The access-determination-tree generatingmeans 12 generates a root node of Object (Step S31), and determineswhether “//” is included in Object (Step S32). If “//” is included inObject, the “//” process is performed (Step S33). The “//” process willbe described later using FIG. 11.

If “//” is not included in Object, the access-determination-treegenerating means 12 makes each element of Object separated by “/” inObject a path value, and stores the path value while maintaining thehierarchy of the path values (Step S34). For example, Object of “/a/b/d”is separated into the path values of a, b and d, and is stored with thehierarchy that a is the first in Object, b is next to a, and d is thenext maintained.

The integer i is used to discriminate each path to be the attribute ofthe node. The access-determination-tree generating means 12 sets i=1(Step S35), generates a new node by making a link of the path value froma node (Step S36), and makes the path value of the new node the value ofthe path1 (Step S37).

Further, the access-determination-tree generating means 12 determineswhether the next path value is NULL (i.e. there is no next element)(Step S38), and, if it is not NULL, the access-determination-treegenerating means 12 adds 1 to i to generate a node of the further lowerhierarchical level (Step S39), and returns to Step S36. When determiningthat the next Object value is NULL, the access-determination-treegenerating means 12 sets Access-mode for the end node which is to be theend of the nodes (Step S40). For Access-mode, theaccess-determination-tree generating means 12 typically sets thepermission or denial of access. However, in the case of the expression(5), for Access-mode, a predicate expression to be the condition for thepermission or denial of access is set as well as the permission ordenial of access is set.<USERID, Alice, /a/c//d, +R>  (6)

As shown in the expression (6), in some cases, “//” is included inObject. In this case, for example, no matter whatever hierarchy existsunder “/a/c/,” Alice can access “/d” under the hierarchy. In otherwords, “//” means that no matter whatever path value the thirdhierarchical level is, it is possible to access “/d” under the level.

In FIG. 10, the expression (6) is represented as an access determinationtree 250. The nodes are generated by the above described separation ofthe Object elements until path2=“c.” When “//” is reached, anew accessdetermination tree is generated. This new access determination tree isconstructed of three nodes, which are a node linked to when the value is“d,” a node linked to when the value is “NULL,” and a node linked towhen the value is “all the others.” The node which is linked to when thevalue is “all the others” is selected when the value does not matchwhichever values other than “all the others.” When the value is “all theothers,” i is added by 1, and the “//” processing returns back to theroot node of the newly generated access determination tree.

A flowchart of the “//” process is shown in FIG. 11. Theaccess-determination-tree generating means 12 separates Object by “/”and “//”, stores them while maintaining the hierarchy of the path valuesseparated, and marks the hierarchical levels before and after “//” todistinguish from those of “/” (Step S51). The access-determination-treegenerating means 12 determines whether it is the path value of thehierarchical level before “//” from this marking (Step S53). If it isnot the path value of the hierarchical level before “//,” the abovedescribed generation process of the access determination tree for “/” isperformed (from Step S57 to Step S61). If it is the path value of thehierarchical level before “//,” a new access determination tree isgenerated (Step S54). The access-determination-tree generating means 12generates a link between the new access determination tree and theparent access determination tree (Step S55), and set Access-mode (StepS56).

In the step of generating the new access generation tree, as shown inFIG. 10, generated are a node which is generated from the path valueafter “//” (the path value “d” in the case of FIG. 10), a node the pathvalue of which is NULL, and a node the path value of which is “all theothers”. Then, access-determination-tree generating means 12 sets thedetermination content specified by the rule to the node which isgenerated from the path value after “//,” and sets “inapplicable” to theNULL node. Moreover, the access-determination-tree generating means 12sets, to the node of “all the others,” processing of adding 1 to thevalue of i and a link to the root node of the new access determinationtree.

As a method of generating an access determination tree, a method may beadopted in which access determination trees for Subject and for Objectare individually generated, and merged. Alternatively, a method may beadopted in which, as shown in FIG. 12, each of the rules constitutingthe access control policy is read one by one, and an accessdetermination tree is generated by the use of nodes and links of theother access determination trees which have already been stored. As anexample of a method of the latter case, a case will be discussed wherean access determination tree is generated from the rules of theexpressions (7) to (10).<USERID, Alice, /a/b, +r>  (7)<USERID, Alice, /a/c[@x>100], +r>  (8)<USERID, Bob, /a/b, +R>  (9)<USERID, Bob, /a/c[@x>100], +R>  (10)

The access-determination-tree generating means 12 generates an accessdetermination tree 351 of Step 1 from the expression (7), connects therule of the expression (8) to a node of the access determination tree351 of Step 1, and generates an access determination tree 352 of Step 2.In this way, two rules (the expressions (7) and (8)) can share thedetermination conditions of path2 and the upper nodes thereof. When thecommon part is large, it is possible to efficiently generate a datastructure for a complicated designation (path expression) of Object.Subsequently, an access determination tree 353 of Step 3 is generatedfrom the expression (9), and an access determination tree 354 of Step 4is generated from the expression (10).

The access-determination-tree generating means 12 may change the orderof paths so that such a common part becomes maximum in a plurality ofaccess determination trees. Specifically, the arrangement of the nodesmay be changed so that the common part of the tree-structured databecomes maximum. When the common part is large in a plurality oftree-structured data, since the data amount of the entiretree-structured data decreases, the hardware resources of the accesscontrol device 10 can be efficiently used.

Although, in the above description, an access determination tree hasalready be generated and stored before the access determination isperformed, the time of generation of the access determination tree maybe during the execution of the access determination. Specifically, theaccess determination tree may be generated and stored when there is anaccess request from a user, and the access determination may then beperformed.

Next, a more detailed description will be given of the accessdetermination performed when there is an access request from a user forthe access determination tree generated by the access-determination-treegenerating means 12. FIG. 13 is a flowchart of the access determination.

The access determining means 13 receives an access request, andseparates the elements of the access request (hereinafter referred to as“access request elements”) (Step S71). Specifically, the accessdetermining means 13 separates the attributes of the access from theaccess request in terms of Subject-Type, Subject, and path values. Bythe use of the separated access request elements, the accessdetermination is performed.

First, the access determining means 13 selects one access determinationtree from among the access determination trees stored in theaccess-determination-tree storing means 17 (Step S72). Next, the accessdetermining means 13 compares the Subject-Type value of the selectedaccess determination tree and the Subject-Type value of the accessrequest elements. When both of the Subject-Type values agree with eachother, the access determining means 13 determines whether there existsthe link which corresponds to the Subject value of the accessdetermination tree and the Subject value of the access request (StepS73).

When there is no corresponding link, the access determining means 13determines that it is impossible to perform the access determination bythe use of this access determination tree. In this case, the accessdetermining means 13 determines whether an access determination treeother than this access determination tree (hereinafter referred to asanother access determination tree) is stored in theaccess-determination-tree storing means 17 (Step S77) If another accessdetermination tree is stored, the access determining means 13 performsthe process from Step S72 for the another access determination tree.

On the other hand, if another access determination tree is not stored,it is determined to be “inapplicable” (Step S78). The case of“inapplicable” means the case where there exists no policy for thisSubject from the beginning, or the case where there is arising thenecessity of generating a new access determination tree relating to thispolicy. Accordingly, in the former case, the administrator may setAccess-mode to permit access. In the latter case, the process ofgenerating an access determination tree may as well be performed.

In the case where there exists a relevant link, the access determiningmeans 13 compares the Object value of the access request elements andthe path value of the access determination tree, and follows the link ofthe access determination tree (Step S75). When there exists a link, theaccess determining means 13 adds 1 to i, and further follows the link toa deeper hierarchical level (Step S76). When there is no link, theaccess determining means 13 performs the determination of Step S79.

Next, the access determining means 13 determines whether the node of theaccess determination tree for which comparison is being performed is anend node (Step S79). If it is an end node, the access determining means13 performs the determination of Step S80. If it is not an end node, theaccess determining means 13 determines that it is impossible to performthe access determination by the use of this access determination tree.In this case, the access determining means 13 determines whether anotheraccess determination tree is stored in the access-determination-treestoring means 17 (Step S77). If another access determination tree isstored, the access determining means 13 performs the process from StepS72 for the another access determination tree. If another accessdetermination tree is not stored, the access determining means 13determines that it is “inapplicable” (Step S78).

When determining that it is an end node of the access determinationtree, the access determining means 13 determines whether the node isaccompanied with a predicate expression to be a condition of the accessdetermination (Step S80).

When the node is not accompanied with a predicate expression, the accessdetermining means 13 settles the determination on the basis of thecontent of the determination which is set to Access-mode (Step S82).Here, the settlement of the determination may be an interim settlement,and the consistency verification means 15 may perform the consistencyverification of the access for the settlement.

When the node is accompanied with a predicate expression, the accessdetermination means 13 determines the predicate expression, and performsthe access determination of a condition using a data value, as well assettles the determination (Step S81).

Here, in some cases, there exist a plurality of access determinationtrees in each of which the links can be followed to the end node.Specifically, this is the case where a plurality of access determinationtrees are stored in the access-determination-tree storing means 17 asdifferent access determination trees while the attributes of therespective nodes of the access determination trees are identical. Inthis case, while there exists a case where a plurality of settlements ofthe determination exist, the consistency verification means 15 mayverify which result is appropriate among the plurality of the results.

A description will be given of the determination which is performed bythe access determining means 13 when an access request, “A user, Alice,wants to read /site/people/person/emailaddress,” is made, for example.The access determining means 13 decomposes the access request intoSubject-Type, Subject, and Object, and makes them access requestelements. The access request elements are shown in the expression (11).Subject-Type: UserIDSubject: AlicePath1: sitePath2: peoplePath3: personPath4: emailaddress   (11)

The access determining means 13 selects an access determination treefrom among the access determination trees stored in theaccess-determination-tree storing means 17, and determines whetherSubject-Type shows an agreement in UserID and there exists a linkSubject of which is Alice. Specifically, when the access determinationtree 100 of FIG. 5 is selected as an access determination tree, sinceSubject-Type is UserID and Subject is Alice, the access determiningmeans 13 follows the left link of the access determination tree. Next,the first path, “path1,” of Object is “site,” and this also correspondsto the link. The second path, “path2,” is “people,” and this correspondsto the left link. Then, since this node is the end node already, thedetermination of “access permitted” is made which is the accessdetermination set to the end node. If the path the access to which isattempted by Alice is “/site/secret/blacklist,” since “access denied” isset to the node under “/site/secret,” the determination of “accessdenied” is made.

Next, a description will be given of the determination in the case whereObject includes “//.” Also in this case, as in the case where Object iscomposed including “/” only, the determination is settled by selectingan access determination tree and following the links thereof.

For example, imagine the access control policy represented by theexpressions (12) and (13). FIG. 14 shows access determination trees 300and 301 of Object which are generated for these rules. Assume that Aliceaccesses “/site/people/person/name/.” The Object elements of the accessrequest elements are represented by a path value as shown in theexpression (13).<Alice, /site//person, +R>  (12)<Alice, /site/auction, +R>  (13)Path1: sitePath2: peoplePath3: personPath4: name   (14)

The access determining means 13 reaches the node of path1 via the nodeof “Subject: Alice.” Next, the access determining means 13 follows thelink which shows an agreement in the path value, “site.” Then, frompath2, the link of “all the others” is followed, and the accessdetermination tree 301 is linked. Since i=2, the access determiningmeans 13 checks path2, and follows the link of “all the others” of theaccess determination tree 301. Then, after i is added by 1, the accessdetermining means 13 goes back to the root node of the accessdetermination tree 301 again. This time, since i=3, the accessdetermining means 13 checks path3. Since there exists a linkcorresponding to “person,” this link is followed, and the determinationresult of “access permitted” is obtained.

A description will be given of the access control using a data value inthe above described Step S81. As described above, when there is nopredicate expression, the access determining means 13 performs theaccess determination without performing processing relating to apredicate expression. On the other hand, when there is a predicateexpression, the access determining means 13 instructs theaccess-determination-tree generating means 12 to generate an accessdetermination tree which determines the condition by the use of a datavalue (hereinafter referred to as “access determination tree using adata value”), and performs the access determination by the use of thegenerated “access determination tree using a data value.” If the accessdetermination tree using a data value has already been generated andstored in the access-determination-tree storing means 17, theaccess-determination-tree generating means 12 does not generate anaccess determination tree, and the access determining means 13 performsthe access determination from the stored access determination tree.

A description will be given of the generation of an access determinationtree when a predicate expression is included. The expressions (15) to(20) are the expressions in which predicate expressions only are shownout of each rule. These expressions mean that, when the conditions onthe right side of the expressions are satisfied, +R (permitted) or −R(denied) which is written on the left side of the expressions isapplied. As shown in the expression (17), in some cases, the predicateexpression is composed with “[” doubled. In the case of the expression(17), since the conditions are ORed by OR, the expression (17) can beseparated into the expressions (15) and (18). Also in the case where apredicate expression is not such an expression that is apparentlyseparable by OR as in the case of the expression (17), an expression canbe separated by the use of a disjunctive normal form, for example.+R: [@salary>10000 and @band=6]  (15)−R: [@salary>10000 and @band=7]  (16)+R: [[@salary>10000 and @band=6] or @salary<2000]  (17)+R: [@salary<2000]  (18)+R: [@age>30]  (19)+R: [@salary<2000 and [@band=6 or @range=3]]  (20)

Names of specific parts of the predicate expressions are defined bellow.First, a condition expression is each of expressions which are separatedby AND of the predicate expression. For example, the conditionexpression of the expression (15) is each of the expressions of“@salary>10000” and “@band=6.” Particularly, when a plurality ofcondition expressions exist in the field enclosed by “[” like in thecase of [@salary>10000 and @band=6], the two condition expressions areconsidered as a plurality of condition expressions enclosed by “[.”Additionally, a condition variable is the variable next to @. In thiscase, the condition variables are “salary” and band.” Moreover, acondition value is composed of a condition of the condition variable anda data value. In this example, the condition values are “>10000” and“=6.”

A flowchart of the access control using a data value is shown in FIG.15. The access determining means 13 separates the predicate expressionby OR (Step S91), and determines whether a plurality of “[” are includedin the predicate expression (Step S92). The case where a plurality of“[” are included is the case of the expression (20), for example. Inthis case, the access-determination-tree generating means 12 generatesaccess determination trees for the respective separated conditionexpressions (Step S98).

When there is one condition expression in the field enclosed by “[,”Steps S95 to S97 are performed for the condition expression only. On theother hand, when there are a plurality of condition expressions in thefield enclosed by “[,” the access-determination-tree generating means 12selects one condition expression, and generates an access determinationtree for the condition expression. After this generation, theaccess-determination-tree generating means 12 selects the next conditionexpression, and generates an access determination tree therefor. In thismanner, the access-determination-tree generating means 12 generatesaccess determination trees for the plurality of condition expressionsrespectively (Step S97).

A description will be given of the generation of access determinationtrees for conditions enclosed by a pair of “[” and “]” morespecifically. The access-determination-tree generating means 12generates a root node (Step S94). Next, the access-determination-treegenerating means 12 set the condition variable as the determinationcondition of the root node (Step S95), makes a link of the condition ofthe condition variable from the node, and generates a new node (StepS96). Moreover, if a condition expression follows after AND or OR, theaccess-determination-tree generating means 12 generates an accessdetermination tree of the next condition expression (Step S97). If thereis no more condition expression, the access-determination-treegenerating means 12 set “access permitted” or “access denied” to the endnode.

The access-determination-tree generating means 12 generates an accessdetermination tree for the next “[” when the generation for one “[” isfinished in the field enclosed by “[.” The determination for this isperformed in Step S98. When the generation of the access determinationtrees is finished for all of the condition expressions, a link is madebetween the root node of the access determination tree using a datavalue thus generated and the end node of the access determination treenot using a data value, the end node including the predicate expression(Step S99).

In some cases, two rules are set as an access control policy, like inthe case of “the expression (15) AND the expression (19).” In this case,since each access determination tree is generated for each rulerespectively, the process from Step S90 to Step S99 is repeated.

FIG. 16 shows an access determination tree 360 generated from thecondition expression, @salary>10000, which is the first half of theexpression (15), and the condition expression, @band=6, which is thelatter half of the expression (15), and shows an access determinationtree 361 generated from the condition expression, @salary>10000, whichis the first half of the expression (16), and the condition expression,@band=7, which is the latter half of the expression (16). An accessdetermination tree 362 below the arrow is generated by merging from thetwo access determination trees. In this case, since both of the accessdetermination trees include the node and link designating the conditionexpression of the first half, @salary>10000, theaccess-determination-tree merging means 14 merges the upper nodes. Byperforming such merging, the data amount of the upper nodes of an accessdetermination tree decreases, and therefore, it is possible to decreasethe data amount of the access control policy.

In the case of the access determination tree which includes a predicateexpression, the access determining means 13 reads out the data valuesfor the predicate expression from the data source. A process of readingout the data value is illustrated in a flowchart of FIG. 17. First, theaccess determining means 13 reads out a data value from the data source(Step S105).

By the use of the read-out data value and a condition variable, theaccess determining means 13 determines whether there exists a linkcorresponding to this data value (Step S106). If it is determined thatthe link exists, the access determining means 13 advances to a furtherlower node (Step S107), and determines whether there exists such a link.If there is no such link, the access determining means 13 determineswhether the end node of the access determination tree is reached (StepS108). If it is not the end node, there is no node corresponding to thecondition expression. Therefore, the access determining means 13determines that this access determination tree is not applicable (StepS110). If it is the end node, the access determining means 13 performsthe determination whether or not access should be permitted fromAccess-mode which is set to the end node (Step S109).

As a advantageous example in the case where a predicate expressionexists, assume that the access determining means 13 reads out a datavalue from an XML document 400 of FIG. 18. Since the predicateexpressions include @income and @age as condition variables, the accessdetermining means 13 reads out the data values of @income and @age fromthe data source. The access control policy is the policy made up of theexpressions (21) and (22). In this policy, a case will be discussedwhere Subject-Type is Group. Here, Alice and Bob belong to a group ofWorker, an access determination tree 401 is generated as the accessdetermination tree for Subject-Type and Subject. Moreover, an accessdetermination tree 402 is generated from the Object part of theexpressions (21) and (22).<Group: Worker, /site/people/person[profile[@age>13 and @income<10000]],+R>  (21)<Group: Worker, /site/secret, −R>  (22)

Such access determination trees 401 and 402 are access determinationtrees which do not need to read out a data value, and the determinationwhether or not access should be permitted is made normally by the use ofthese access determination trees. However, when there is a request ofaccess to the part which is controlled by the use of a condition using adata value as described below, the determination whether or not accessshould be permitted is made by reading out a data value as describedbelow.

Assume that the access control device 10 is requested to determine“whether one who belongs to the Worker group can access/site/people/person/name.” The access determining means 13 follows theaccess determination trees 401 and 402, and follows the accessdetermination tree 403 of Object.

By following the links, when the determination execution reaches thenode to which a predicate expression is set, theaccess-determination-tree generating means 12 generates the accessdetermination tree 403 using a data value. The access-determination-treegenerating means 12 generates a root node, and assigns “profile” whichis the first condition variable in the field enclosed by “[” to theattribute of the root node. Since the value of the condition variable“profile” may be any value, “all the others” is assigned as the value ofthe attribute for the node of profile. Next, theaccess-determination-tree generating means 12 generates the nodes andlinks for the condition expressions of “age>13” and “income<10000.”Since these condition expressions are ANDed conditions by AND, as forthe order of the nodes, the node of “income<10000” may be under the nodeof “age>13,” and vice versa. In any of these cases, theaccess-determination-tree generating means 12 set Access-mode to the endnode as the determination whether or not access should be permitted.

The access determining means 13 reads out a data value from the XMLdocument 400 which is the data source. In this case, data values ofincome and age are described in the XML document 400 for each of Aliceand Bob belonging to the Worker group. Accordingly, the accessdetermining means 13 reads out the data values for both of Alice andBob.

The read-out data values are represented as the expressions (23) and(24). From these expressions, the condition that age is higher than 13is satisfied by either Alice or Bob. However, from the conditionexpression of income, the access of Alice will be denied because incomeis 15000, and the access of Bob will be permitted because income is5000.Alice @income:15000, @age:54   (23)Bob @income:5000, @age:42   (24)

As described above, in the case of the access to the part of the datasource which is designated by the expression (22) (the access to/site/secret by Alice), the access determining means 13 performs thedetermination whether or not access should be permitted by the use ofthe access determination trees 401 and 402. However, in the case of theaccess to the part which is designated by a predicate expression like inthe case of the expression (17) (the access to /site/people/person byAlice), there arises the necessity to read out a data value for thedetermination whether or not access should be permitted. In this case,the access determination tree 403 is generated, and the determinationwhether or not the access to the part which is designated by thepredicate expression should be permitted is made.

Accordingly, it is not necessary to always store tree-structured datawhich has a node of a condition using a data value in a storing device,such as a memory, as data for access determination.

It should be noted that the access determination trees 402 and 403 ofObject can be used in any of the cases where Subject is Alice, Bob, orWorker. Specifically, the access determination trees 402 and 403 ofObject can be used independently of the access determination tree ofSubject. For example, the access determination trees 402 and 403 can belinked not only to the access determination tree 401 for Subject butalso to the access determination tree 200 for Subject of FIG. 6. In thiscase, the access determination trees 200 and 401 can share the accessdetermination trees 402 and 403.

Additionally, the access-determination-tree generating means 12 maymerge a plurality of access determination trees which include identicalnodes and links, after the access determination tree using a data valueand the access determination tree not using a data value are generated.A flowchart of merging access determination trees is shown in FIG. 19.The access-determination-tree generating means 12 determines whethercertain links and nodes of an access determination tree are the same asthose of another access determination tree (Step S121). When these areidentical respectively, the access-determination-tree generating means12 merges the access determination trees (Step S122). The consistencyverification means 15 may verify the consistency of the access after thefinish of generation and merging of the access determination trees (StepS123).

Additionally, after an access generation tree using a data value isgenerated, the access determination tree may be linked to the accessdetermination tree not using a data value which is to be the upper node.

An access control method which realizes such an embodiment can berealized by a program to be executed on a computer or a server. As thestoring medium for this program, an optical storage medium such as aDVD, an MO and a PD, a tape medium, a semiconductor memory or the likecan be listed. Additionally, a storing device such as a hard disk or aRAM which is provided in a server system connected a privatecommunication network and/or the Internet may be used as storing meansto provide the program via the network.

Hereinbefore, while the embodiment of the present invention has beendescribed, this is only for the purpose of illustrating a specificexample, not limiting the present invention. Moreover, the effectsdescribed in the embodiment of the present invention are listed only asthe most advantageous effects obtained from the present invention. Theeffects of the present invention are not limited to those described inthe embodiment of the present invention.

According to the above described embodiment, an access control device,an access control method, and a computer readable storage medium storingthe method, which are recited in the below described items, can berealized.

(1) An access control device for controlling access to a data source,comprising:

policy storing means for storing a plurality of policies, each forcontrolling access to a part of the data source, when these policies areinputted;

access-determination-tree generating means for generating a plurality oftree-structured data from the plurality of policies;

access-determination-tree merging means for merging the plurality oftree-structured data;

access-determination-tree storing means for storing the mergedtree-structured data; and

access determining means for, in response to access to a part of thedata source being attempted, determining from the merged tree-structureddata whether or not the access to the part should be permitted.

(2) The access control device as recited in the item (1), wherein

the access-determination-tree merging means merges the plurality oftree-structured data by extracting a common part of the plurality oftree-structured data and placing the extracted common part on an uppernode of the tree structure.

(3) The access control device as recited in the item (2), wherein

the access-determination-tree merging means performs the merging so thatthe common part of the plurality of tree-structured data becomesmaximum.

(4) The access control device as recited in the item (1), furthercomprising:

consistency verification means for, after the determination whether ornot the access should be permitted is made, verifying consistency of thedetermination.

(5) The access control device as recited in the item (1), wherein,

the access determining means reads out a data value from the data sourcein response to the access to the part of the data source beingattempted, and, by the use of the data value, determines whether or notthe access should be permitted from the merged tree-structured data.

(6) The access control device as recited in the item (1), wherein

the part of the data source is designated by a path expression

described in a path expression language.

(7) The access control device as recited in the item (6), wherein

the access-determination-tree generating means generates thetree-structured data from the path expression and an attribute of a userwho attempts to access the part of the data source.

(8) The access control device as recited in the item (6), wherein

the path expression language is XPath.

(9) An access control method for controlling access to a data source,comprising the steps of:

storing a plurality of policies, each for controlling access to a partof the data source, when these policies are inputted;

generating a plurality of tree-structured data from the plurality ofpolicies;

merging the plurality of tree-structured data;

storing the merged tree-structured data; and

in response to access to a part of the data source being attempted,determining from the merged tree-structured data whether or not theaccess to the part should be permitted.

(10) The access control method as recited in the item (9), wherein,

in the merging step, the access control device merges the plurality oftree-structured data by extracting a common part of the plurality oftree-structured data and placing the extracted common part on an uppernode of the tree structure.

(11) The access control method as recited in the item (10), wherein,

in the merging step, the access control device performs the merging sothat the common part of the plurality of tree-structured data becomesmaximum.

(12) The access control method as recited in the item (9), furthercomprising the step of:

after the determination whether or not the access should be permitted ismade, verifying consistency of the determination.

(13) The access control method as recited in the item (9), wherein,

in the tree-structured data generating step, the access control devicegenerates the tree-structured data from a path expression designatingthe part of the data source and an attribute of a user who attempts toaccess the part of the data source.

(14) A computer-readable storage medium storing a program for executingthe access control method as recited in any one of items (9) to (13).

The present invention is applicable not only to a database managementsystem in which many users access a data source having a large amount ofdata, but also to a database management system in which a plurality ofdata sources having a large amount of data are stored in physicallydifferent servers and the like, and many users access these datasources.

Although the advantageous embodiment of the present invention has beendescribed in detail, it should be understood that various changes,substitutions and alternations can be made therein without departingfrom spirit and scope of the inventions as defined by the appendedclaims. Variations described for the present invention can be realizedin any combination desirable for each particular application. Thusparticular limitations, and/or embodiment enhancements described herein,which may have particular advantages to a particular application neednot be used for all applications. Also, not all limitations need beimplemented in methods, systems and/or apparatus including one or moreconcepts of the present invention. The present invention can be realizedin hardware, software, or a combination of hardware and software. Avisualization tool according to the present invention can be realized ina centralized fashion in one computer system, or in a distributedfashion where different elements are spread across severalinterconnected computer systems. Any kind of computer system—or otherapparatus adapted for carrying out the methods and/or functionsdescribed herein—is suitable. A typical combination of hardware andsoftware could be a general purpose computer system with a computerprogram that, when being loaded and executed, controls the computersystem such that it carries out the methods described herein. Thepresent invention can also be embedded in a computer program product,which comprises all the features enabling the implementation of themethods described herein, and which—when loaded in a computer system—isable to carry out these methods.

Computer program means or computer program in the present contextinclude any expression, in any language, code or notation, of a set ofinstructions intended to cause a system having an information processingcapability to perform a particular function either directly or afterconversion to another language, code or notation, and/or reproduction ina different material form.

Thus the invention includes an article of manufacture which comprises acomputer usable medium having computer readable program code meansembodied therein for causing a function described above.

The computer readable program code means in the article of manufacturecomprises computer readable program code means for causing a computer toeffect the steps of a method of this invention. Similarly, the presentinvention may be implemented as a computer program product comprising acomputer usable medium having computer readable program code meansembodied therein for causing a function described above. The computerreadable program code means in the computer program product comprisingcomputer readable program code means for causing a computer to effectone or more functions of this invention. Furthermore, the presentinvention may be implemented as a program storage device readable bymachine, tangibly embodying a program of instructions executable by themachine to perform method steps for causing one or more functions ofthis invention.

It is noted that the foregoing has outlined some of the more pertinentobjects and embodiments of the present invention. This invention may beused for many applications. Thus, although the description is made forparticular arrangements and methods, the intent and concept of theinvention is suitable and applicable to other arrangements andapplications. It will be clear to those skilled in the art thatmodifications to the disclosed embodiments can be effected withoutdeparting from the spirit and scope of the invention. The describedembodiments ought to be construed to be merely illustrative of some ofthe more prominent features and applications of the invention. Otherbeneficial results can be realized by applying the disclosed inventionin a different manner or modifying the invention in ways known to thosefamiliar with the art.

1. An access control device for controlling access to a data source,comprising: policy storing means for storing a plurality of policies,each policy for controlling access to a part of said data source, whensaid plurality of policies are inputted; access-determination-treegenerating means for generating a plurality of tree-structured data fromsaid plurality of policies; access-determination-tree merging means formerging said plurality of tree-structured data;access-determination-tree storing means for storing the mergedtree-structured data; and access determining means for, in response tosaid access to said part of said data source being attempted,determining from said merged tree-structured data whether or not saidaccess to said part of said data source should be permitted.
 2. Theaccess control device according to claim 1, wherein saidaccess-determination-tree merging means merges said plurality oftree-structured data by extracting a common part of said plurality oftree-structured data and placing the extracted common part on an uppernode of the tree structure.
 3. The access control device according toclaim 2, wherein said access-determination-tree merging means performsthe merging so that said common part of said plurality oftree-structured data becomes maximum.
 4. The access control deviceaccording to claim 1, further comprising consistency verification meansfor, after the determination whether or not said access should bepermitted is made, verifying consistency of said determination.
 5. Theaccess control device according to claim 1, wherein said accessdetermining means reads out a data value from said data source inresponse to said access to said part of said data source beingattempted, and, by the use of said data value, determines whether or notsaid access should be permitted from said merged tree-structured data.6. The access control device according to claim 1, wherein said part ofsaid data source is designated by a path expression described in a pathexpression language.
 7. The access control device according to claim 6,wherein said access-determination-tree generating means generates saidplurality of tree-structured data from said path expression and anattribute of a user who attempts to access said part of said datasource.
 8. The access control device according to claim 6, wherein saidpath expression language is XPath.
 9. An access control method forcontrolling access to a data source, comprising: storing a plurality ofpolicies, each for controlling access to a part of said data source,when said plurality of policies are inputted; generating a plurality oftree-structured data from said plurality of policies; merging saidplurality of tree-structured data; storing the merged tree-structureddata; and in response to said access to said part of said data sourcebeing attempted, determining from said merged tree-structured datawhether or not said access to said part of said data source should bepermitted.
 10. The access control method according to claim 9, whereinsaid merging comprises, merging said plurality of tree-structured databy extracting a common part of said plurality of tree-structured dataand placing the extracted common part on an upper node of the treestructure.
 11. The access control method according to claim 10, whereinsaid merging comprises, performing the merging so that said common partof said plurality of tree-structured data becomes maximum.
 12. Theaccess control method according to claim 9, further comprising, afterthe determination whether or not said access should be permitted ismade, verifying consistency of said determination.
 13. The accesscontrol method according to claim 9, wherein said tree-structured datagenerating comprises, generating said plurality of tree-structured datafrom a path expression designating said part of said data source and anattribute of a user who attempts to access said part of said datasource.
 14. A computer-readable storage medium storing a program forexecuting the access control method according to claim
 9. 15. An articleof manufacture comprising a computer usable medium having computerreadable program code means embodied therein for causing control ofaccess to a data source, the computer readable program code means insaid article of manufacture comprising computer readable program codemeans for causing a computer to effect the steps of claim
 9. 16. Aprogram storage device readable by machine, tangibly embodying a programof instructions executable by the machine to perform method steps forcontrolling access to a data source, said method steps comprising thesteps of claim
 9. 17. A computer program product comprising a computerusable medium having computer readable program code means embodiedtherein for causing control of access to a data source, the computerreadable program code means in said computer program product comprisingcomputer readable program code means for causing a computer to effectthe functions of claim
 1. 18. A computer-readable storage medium storinga program for executing the access control method according to claim 10.19. A computer-readable storage medium storing a program for executingthe access control method according to claim
 11. 20. A computer-readablestorage medium storing a program for executing the access control methodaccording to claim 12.